III. Recommendations

Recommendations for the Office of Management and Budget:

OMB should establish privacy standards that are at least a good as those in and recommended for the Do Not Pay Initiative to cover all government purchases of commercial databases with personal information. OMB should consider accomplishing an expansion by establishing a task force that includes representatives of consumer and privacy groups.

In the near future, OMB should expand the privacy standards for the Do Not Pay Initiative to require that commercial databases comply fully with all Fair Information Practices, including collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, access and correction rights, and accountability. [54] It is especially important that data subjects have meaningful, timely, and effective access and correction rights to any commercial databases used by federal agencies. OMB should take steps to expand the privacy standards at the earliest possible opportunity following a reasonable test of the new Do Not Pay procedures.

Because The Work Number will be the first test of a pilot project under the Do Not Pay Initiative, OMB should ensure that it provides for ample and prominent notice and public comment opportunity if it proposes permanent adoption of The Work Number. This is essential so that there will be a fair test of the effectiveness of public oversight of the new private sector database standards. Public notice should include extensive documentation about the accuracy, timeliness, relevance, and completeness of The Work Number. An independent audit of The Work Number’s compliance with data standards would be especially useful. In addition, all of the data fields maintained by The Work Number must be published to allow an evaluation whether any of the data reflects on the exercise of First Amendment rights.

According to the OMB FAQ on the Initiative, Treasury is considering inclusion of state-level data. [55] Before expanding the Initiative to state data, OMB should apply to state databases the same privacy standards and procedures that the Do Not Pay memo applies to commercial databases.

Recommendations for the States:

The states also use commercial data sources and have market power. Each state should follow the example policies established by OMB and require that any commercial databases containing personal information used for state activities meet privacy standards consistent with Fair Information Practices. Standards for state purchases might be established using executive rather than legislative authority. Governors or State Attorneys General might consider establishing uniform standards here so that all states impose the same standards.

Recommendations for Congress:

Congress should request that the Government Accountability Office review the implementation of the OMB Do Not Pay Initiative to make sure that the privacy standards are fairly implemented.

Recommendation for the Federal Trade Commission:

The Federal Trade Commission has long had the ability to determine that the failure of a commercial database containing personal information to meet Fair Information Practices is an unfair trade practice. The Commission has not yet taken any meaningful step in that direction. Nevertheless, any partial action by the FTC toward the goal of broader implementation of Fair Information Practices would still be welcome.

Recommendation for the public, including consumer and privacy groups:

The public as well as and consumer and privacy groups should closely monitor the Do Not Pay Initiative and should actively participate in any opportunity for public comment about the use of commercial databases.

This new WPF report finds that medical identity theft is still a crime that causes great harms to its victims, and that it is growing overall in the United States; however, there’s a catch. The national consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.” These hotspots are important for patients, policymakers, and healthcare stakeholders to know about so as to address potential risks.

WPF has conducted original research on India's Aadhaar, a national biometric ID system, including field research in India during 2010-2014. WPF has published the original research in a peer-reviewed journal, Nature-Springer, and in Harvard-based Journal of Technology Science. The research found that systemic challenges to data protection and privacy exist in the Aadhaar system, challenges which do have potential remedies. Key lessons can be learned for both the US and the EU as biometric systems grow in popularity.